This analysis focuses on the Android banking trojan Hook and its predecessor ERMAC, both created by DukeEugene [2]. The trojans share similar code implementation and capabilities, including keystroke logging, overlay attacks [1] [2], and credential theft from over 700 apps. Hook also has additional functionalities, such as device control, front-facing camera photo capture, cookie harvesting, and address replacement. The majority of the trojans’ command-and-control servers are located in Russia [2], and although the Hook project seems to be inactive, its source code has been sold on an underground forum [2]. Additionally, a China-nexus threat actor has been linked to an Android spyware campaign targeting South Korean users [1] [2], with capabilities including information theft, call redirection, and SMS interception. The campaign’s WHOIS record and Chinese language strings in the malware source code suggest connections to China [2]. Another actor named RedDragon has taken over the Hook project until customer subscriptions expire [1]. Lastly, an Israeli spyware company called Insanet has developed a product called Sherlock [2], which infects devices through online advertisements to collect sensitive data [2].

Description

A new analysis of the Android banking trojan Hook reveals that it is based on its predecessor ERMAC and both malware strains were created by DukeEugene [2]. They have similar code implementation and can log keystrokes, conduct overlay attacks [1] [2], and steal credentials from over 700 apps [1] [2]. Additionally, Hook has additional functionalities that allow it to control infected devices [1], capture photos using the front-facing camera [2], harvest cookies [1], and replace copied wallet addresses with attacker-controlled ones [1]. The majority of the command-and-control servers for both trojans are located in Russia [2]. Although the Hook project appears to have been shut down [2], the source code has been sold on an underground forum [2].

Furthermore, a China-nexus threat actor has been linked to an Android spyware campaign targeting users in South Korea [1] [2]. The spyware is distributed through deceptive phishing websites and can steal sensitive information [2]. It also has the capability to redirect incoming calls, intercept SMS messages [2], and has an unfinished keylogging functionality [2]. The C2 server’s WHOIS record and Chinese language strings in the malware source code suggest connections to China [2].

In addition to Hook, another actor named RedDragon has taken over the project until customer subscriptions expire [1].

It is worth noting that an Israeli spyware company called Insanet has developed a product called Sherlock that infects devices via online advertisements to collect sensitive data [2].

Conclusion

The presence of the Android banking trojan Hook and its predecessor ERMAC, both created by DukeEugene [2], poses significant risks to users. These trojans have the ability to log keystrokes, conduct overlay attacks [1] [2], and steal credentials from numerous apps [2]. Hook’s additional functionalities [1], such as device control and address replacement, further enhance its malicious capabilities. The majority of the trojans’ command-and-control servers being located in Russia raises concerns about the origin and potential collaboration with threat actors in that region. The involvement of a China-nexus threat actor in an Android spyware campaign targeting South Korean users highlights the global nature of cyber threats. The connections to China through the campaign’s WHOIS record and malware source code suggest potential state-sponsored activities. The takeover of the Hook project by RedDragon until customer subscriptions expire indicates a continuation of the threat. Additionally, the development of Sherlock by Insanet underscores the ongoing development and sophistication of spyware products. It is crucial for users to remain vigilant, employ strong security measures, and stay informed about emerging threats to protect their sensitive data.

References

[1] https://thenimblenerd.com/article/when-malware-plays-hot-potato-the-intriguing-saga-of-hook-and-ermac/
[2] https://thehackernews.com/2023/09/hook-new-android-banking-trojan-that.html